LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (https://www.linuxquestions.org/questions/red-hat-31/)
-   -   /etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd (https://www.linuxquestions.org/questions/red-hat-31/etc-pam-d-system-auth-ac-vs-etc-pam-d-password-auth-ac-vs-etc-pam-d-sshd-4175513018/)

christr 08-01-2014 04:02 PM

/etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd
 
I'm trying to grasp a better understanding of PAM configuration in Red Hat. Our policies are all normally set in /etc/pam.d/system-auth-ac, but I've discovered that account lock accounts don't really seem to be getting enforced for incoming ssh connections.

So I did a little research, and found this page. I tested it, and sure enough pam_tally2 works great now. I always thought Linux account lock outs went to /etc/shadow before this, similar to Unix. Now I've learned it tracks it all by the pam_tally2 outside of /etc/shadow and our lock out policies actually haven't been working.

My question is that after reading the pages below I'm finding I now have more questions than I started with.

1. Red Hat PAM documentation
2. Red Hat PAM configuration files
3. serverfault - login vs system-auth
4. More login vs system-auth discussion

My question is that in a lot of my reading I see a lot of conflicting information on when to use the /etc/pam.d/system-auth and/or the /etc/pam.d/password-auth files, and/or /etc/pam.d/sshd. Even Red Hat's documentation doesn't explain it well. What are the true purposes of each of these files in relation to each other?

Inquiring minds want to know... :D

Thanks!

Ser Olmy 08-01-2014 06:26 PM

An application that uses PAM can have a configuration file bearing its name in /etc/pam.d/. If such a file exists, the rules in that file are processed whenever the application calls a PAM authentication function.

If no application-specific file exists, PAM will fall back to the rules in /etc/pam.d/other, if it exists. If neither this file nor an application-specific file exists, the authentication will fail.

Files like /etc/pam.d/system-auth and to a larger extent /etc/pam.d/password-auth are somewhat distribution-specific. Since no applications identify themselves as "system-auth" or "password-auth", these files are actually never called on their own. Instead, the contents of these files are pulled into other PAM configuration files with the "include" directive. That way, common settings for multiple applications can be stored in a single file.

christr 08-01-2014 07:08 PM

Thank you so much! That was a very helpful answer.


All times are GMT -5. The time now is 03:25 AM.